Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Cyber UL Could Become Reality Under Leadership of Hacker Mudge

UPDATE–One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.

Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.

“Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a #CyberUL, so here goes!” Zatko said on Twitter.

The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and potential to it.

Zatko is one of the members of the L0pht hacker collective that formed in Boston in the 1990s, and the idea for something along the lines of this project took shape back then. John Tan, one of the members of the L0pht, wrote a paper describing a possible model for a “cyber UL” in 1999, an organization that would certify the reliability and quality of a security product. The paper describes a key problem in the security industry, a problem that still exists more than 16 years later: No one has a good way to prove the claims made by vendors.

“Similarly to early electrical inventions, today’s computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as advertised at all,” the paper says.

Describing the problem is one thing, and solving it is another thing altogether. Product testing and certification authorities for software and hardware have existed for many years, but they are sometimes seen as ineffective or beholden to the manufacturers whose products they are testing. Creating an independent organization that will perform these functions could solve much of this problem.

“The arrival of a government body interested in standardizing security testing for software and hardware couldn’t come at a better time. A well-designed entity here would rely on automation as much as possible, as to address the massive scale of the security problem for software,” said Christien Rioux, a member of the L0pht and currently the chief scientist at Veracode.

Zatko has a long record in the security community and has held a wide variety of positions in the last decade. Before joining Google, he worked at DARPA for several years, running a number of influential research programs, including Cyber Fast Track, which funded security research programs. Several high-profile researchers used grants from the CFT program to fund their research, including Charlie Miller and Chris Valasek, who funded their ground-breaking work on the security of automotive systems, and Joe Grand, who did work on deconstructing printed circuit boards. CFT also helped fund Miller’s research on NFC security and Moxie Marlinspike’s work on the Convergence system.

Grand, a hardware engineer and researcher who runs Grand Idea Studios, said he sees a lot of potential in the cyber UL idea, but also some possible hurdles.

“Technology, especially in the ‘cyber’ community, moves so quickly that having a checklist, rating system, test procedure, etc. to classify the security of products/systems won’t be enough. I’ve always been fearful/doubtful of any type of compliance/rubber stamp of ‘Product x is secure’ or ‘Product x meets required specifications’ (e.g., like FIPS140), since just because features are implemented doesn’t mean they’re implemented correctly and could still potentially be broken (either in ways we know or future attacks that we don’t),” Grand said via email.

Two years ago, when he announced that the CFT program was ending at DARPA, Zatko said that the complexity of the security landscape makes defenders’ jobs progressively more difficult.

“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” he said during a talk at the CanSecWest conference in 2013. “Why are we not making progress? There’s a whole bunch of factors involved.”

Before moving to DARPA, Zatko spent many years at BBN Technologies, a pioneering technology company, and was a top researcher at @stake, the security consultancy and research company.

This story was updated on June 30 to add Rioux’s and Grand’s comments.

The most serious vulnerabilities in Cisco’s 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

Discussion

There are currently 3 major security certifications that products can pursue now: FIPS 140-2 validation, Common Criteria, and listing on the Unified Capabilities Approved Product List (UC APL). Much like other security standards (NIST 800-53, COSO, PCI-DSS, etc), the worry is that this could just be another one in the industry and add to the confusion (see the XKCD comic on this very thing). This "Cyber UL" will have to stand out somehow, and I am not sure how it will do that. Maybe that is the secret sauce that we will see when it starts?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.